What is SSRF?
According to PortSwigger, Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.
In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization’s infrastructure, or to external third-party systems.
What is XSS?
According to OWASP, Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benitign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
Let’s get started:
While testing a domain, I found a subdomain which was using JIRA Instance. I checked the version with wappalyzer tool it was “version 5.8.X”, this version was vulnerable by SSRF. I remember the write-up of “Alyssa Herrera” (“https://infosecwriteups.com/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a”).
There was an endpoint “plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com”
So I followed up the write-up. I wen to brute-XSS blog, replaced http://google.com with http://brutelogic.com.br/poc.svg …. Boom XSS popped-up
I want to also attach some tips for beginners, to get succeed in bug bounties.
- Try to hunt in less crowded programs
- Search targets with large no of scope.
- Don’t focus on main domain, focus on subdomains.
- At last but not least, Keep trying.
Hope you guys learnt something new. If you liked it share with your fellow hackers. I’ll be posting 2 write-ups in a week. Untill then Goodbye!